Enable Office 365 Modern Authentication

If you have an Office 365 subscription, you can enable Multi-Factor Authentication (MFA)1 for end users which will add an additional layer of security. Enabling MFA makes client apps to require an app password to authenticate to Office 365 services. App passwords are randomly generated, long strings, that are not easy to remember. Therefore it won’t be convenient for end users to memorize these passwords. That’s when Office 365 modern authentication comes in to help.

Office 365 modern authentication helps Office clients to use Active Directory Authentication Library (ADAL) based authentication across platforms. This enables client apps to use features such as MFA, SAML-based third party identity providers, smart cards and certificate based authentication. Once enabled, this removes the need for Outlook to use basic authentication protocol.

In this post I will discuss how you can enable modern authentication support for your Office 2013 client apps and enable it for your Office 365 services.

Configuring Client Apps for Modern Authentication

Office 2016 client apps are by default enabled for modern authentication and therefore no additional configuration on client apps or the OS is required. Office 2013 client apps on the other hand, require a registry keys set in the OS to enable modern authentication support. To enable modern authentication support for Office 2013 client apps, set following registry keys on every computer that has Office 2013 client apps installed.

Registry key

Type

Value

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL

REG_DWORD

1

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version

REG_DWORD

1

Configuring Office 365 Services for Modern Authentication

For the Office 365 services, the default state of modern authentication is:

Turned off for Exchange Online by default.

Turned on for SharePoint Online by default.

Turned off for Skype for Business Online by default.

Configuring Exchange Online for Modern Authentication

Connect to Exchange Online using PowerShell

Check the modern authentication status (figure 1).

Get-OrganizationConfig | select *OAuth*

Figure 1

To enable, run below command (figure 2).

Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true

Figure 2

To verify if it was successful, run the command in step 2. If you see a screen similar to below, you’ve been success (figure 3).

Figure 3

Configuring Skype for Business Online for Modern Authentication

Connect to Skype for Business Online using PowerShell.

Check the modern authentication status (figure 4).

Get-CsOAuthConfiguration | select *Adal*

Figure 4

To enable, run below command (figure 5).

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

Figure 5

To verify if it was successful, run the command in step 2. If you see a screen similar to below, you’ve been success (figure 6).

Figure 6

Client Experience

Once you enable modern authentication support in Office 365 services and in client apps (Office 2013), the requirement for app passwords is eliminated. MFA enabled users will get an experience similar to below screenshots that were taken while configuring an email account in Microsoft Outlook and when the client was launched (figure 7 – 10).

4 thoughts on “Enable Office 365 Modern Authentication”

My client would like user to have MFA every time a user launch outlook when using home PC out side company network. It does ask for MFA 1st time user set outlook client but it cache user password and dont ask again, any suggestion please?